Report: NSA spying broke privacy rules many times

WASHINGTON — The National Security Agency has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers in 2008.

Most of the infractions involve unauthorized surveillance of Americans or foreign intelligence targets in the United States, both of which are restricted by law and executive order, according to documents leaked by former NSA analyst Edward Snowden and first published Thursday in The Washington Post. They range from significant violations of law to typographical errors that resulted in unintended interception of U.S. emails and telephone calls, the Post said, citing a May 3, 2012, internal audit and other top-secret documents provided it earlier this summer.

In one of the documents, agency personnel are instructed to remove details and substitute more generic language in reports to the Justice Department and the Office of the Director of National Intelligence.

The Post cited a 2008 example of the collection of a "large number" of phone records from Washington, D.C.-based phone numbers when a programming error confused the U.S. area code for the capital of 202 for 20-2, the international dialing code for Egypt and the city code for Cairo, according to a "quality assurance" review that was not distributed to the NSA's oversight staff.

The NSA also saw a large spike in the number of "roamers," or overseas, phone calls wrongly tracked in the first quarter of 2012, when those roamers traveled into the United States territory, which is outside NSA's authority. The May 2012 compliance report said the errors may have been due to tracking Chinese targets who were visiting friends and relatives for the Chinese lunar new year.

In another case, the Foreign Intelligence Surveillance Court, which has authority over some NSA operations, did not learn about a new collection method until it had been in operation for many months. The court ruled it unconstitutional.

The NSA audit obtained by the Post, counted 2,776 incidents in the preceding 12 months of unauthorized collection, storage, access to or distribution of legally protected communications. Most were unintended. Many involved failures of due diligence or violations of standard operating procedure. The most serious incidents included a violation of a court order and unauthorized use of data about more than 3,000 Americans and green-card holders.

"The number of 'compliance incidents' is jaw-dropping," Jameel Jaffer, ACLU deputy legal director, said in a statement emailed late Thursday. "At least some of these incidents seem to have implicated the privacy of thousands or millions of innocent people."

The White House on Friday declined to comment on the latest revelations about surveillance of Americans and foreigners by the NSA. It directed questions to the National Security Council, and NSC spokeswoman Caitlin Hayden directed questions to the NSA.

In a statement emailed to The Associated Press late Thursday, NSA spokeswoman Vanee Vines said the number of incidents in the first quarter of 2012 was higher than normal, and that the number has ranged from 372 to 1,162 in the past three years, due to factors like "implementation of new procedures or guidance with respect to our authorities that prompt a spike that requires 'fine tuning,' changes to the technology or software in the targeted environment for which we had no prior knowledge, unforeseen shortcomings in our systems, new or expanded access, and 'roaming' by foreign targets into the U.S., some of which NSA cannot anticipate in advance but each instance of which is reported as an incident."

"When NSA makes a mistake in carrying out its foreign intelligence mission, the agency reports the issue internally and to federal overseers -- and aggressively gets to the bottom of it," Vines said.

The NSA also offered a statement from John DeLong, NSA's director of compliance, who said, "We want people to report if they have made a mistake or even if they believe that an NSA activity is not consistent with the rules. NSA, like other regulated organizations, also has a 'hotline' for people to report — and no adverse action or reprisal can be taken for the simple act of reporting. We take each report seriously, investigate the matter, address the issue, constantly look for trends and address them as well — all as a part of NSA's internal oversight and compliance efforts. What's more, we keep our overseers informed through both immediate reporting and periodic reporting."

When asked why the Post did not publish the story earlier, though it said it had the documents for months, spokeswoman Kris Coratti emailed Friday that "it has taken some time to study them and understand the information they contain."